Showing 41 of 41 total issues
Unescaped model attribute Open
= paginate groups
- Read upRead up
- Exclude checks
Cross-site scripting (or XSS) is #3 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS\)) web security risks and it pops up nearly everywhere.
XSS occurs when a user-controlled value is displayed on a web page without properly escaping it, allowing someone to inject Javascript or HTML into the page which will be interpreted and executed by the browser..
In Rails 2.x, values need to be explicitly escaped (e.g., by using the h
method). Since Rails 3.x, auto-escaping in views is enabled by default. However, one can still use the raw
or html_safe
methods to output a value directly.
See the Ruby Security Guide for more details.
Query Parameters and Cookies
ERB example:
<%= params[:query].html_safe %>
Brakeman looks for several situations that can allow XSS. The simplest is like the example above: a value from the params
or cookies
is being directly output to a view. In such cases, it will issue a warning like:
Unescaped parameter value near line 3: params[:query]
By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.
For example:
<%= raw some_method(cookie[:name]) %>
This raises a warning like:
Unescaped cookie value near line 5: some_method(cookies[:oreo])
However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.
Some methods are known to Brakeman to either be dangerous (link_to
is one) or safe (escape_once
). Users can specify safe methods using the --safe-methods
option. Alternatively, Brakeman can be set to only warn when values are used directly with the --report-direct
option.
Model Attributes
Because (many) models come from database values, Brakeman mistrusts them by default.
For example, if @user
is an instance of a model set in an action like
def set_user
@user = User.first
end
and there is a view with
<%= @user.name.html_safe %>
Brakeman will raise a warning like
Unescaped model attribute near line 3: User.first.name
If you trust all your data (although you probably shouldn't), this can be disabled with --ignore-model-output
.
Unescaped parameter value Open
%th= filterrific_sorting_link(@filterrific, :group, filterrific_options())
- Read upRead up
- Exclude checks
Cross-site scripting (or XSS) is #3 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS\)) web security risks and it pops up nearly everywhere.
XSS occurs when a user-controlled value is displayed on a web page without properly escaping it, allowing someone to inject Javascript or HTML into the page which will be interpreted and executed by the browser..
In Rails 2.x, values need to be explicitly escaped (e.g., by using the h
method). Since Rails 3.x, auto-escaping in views is enabled by default. However, one can still use the raw
or html_safe
methods to output a value directly.
See the Ruby Security Guide for more details.
Query Parameters and Cookies
ERB example:
<%= params[:query].html_safe %>
Brakeman looks for several situations that can allow XSS. The simplest is like the example above: a value from the params
or cookies
is being directly output to a view. In such cases, it will issue a warning like:
Unescaped parameter value near line 3: params[:query]
By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.
For example:
<%= raw some_method(cookie[:name]) %>
This raises a warning like:
Unescaped cookie value near line 5: some_method(cookies[:oreo])
However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.
Some methods are known to Brakeman to either be dangerous (link_to
is one) or safe (escape_once
). Users can specify safe methods using the --safe-methods
option. Alternatively, Brakeman can be set to only warn when values are used directly with the --report-direct
option.
Model Attributes
Because (many) models come from database values, Brakeman mistrusts them by default.
For example, if @user
is an instance of a model set in an action like
def set_user
@user = User.first
end
and there is a view with
<%= @user.name.html_safe %>
Brakeman will raise a warning like
Unescaped model attribute near line 3: User.first.name
If you trust all your data (although you probably shouldn't), this can be disabled with --ignore-model-output
.
Unescaped parameter value Open
%th= filterrific_sorting_link(@filterrific, :rows, filterrific_options())
- Read upRead up
- Exclude checks
Cross-site scripting (or XSS) is #3 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS\)) web security risks and it pops up nearly everywhere.
XSS occurs when a user-controlled value is displayed on a web page without properly escaping it, allowing someone to inject Javascript or HTML into the page which will be interpreted and executed by the browser..
In Rails 2.x, values need to be explicitly escaped (e.g., by using the h
method). Since Rails 3.x, auto-escaping in views is enabled by default. However, one can still use the raw
or html_safe
methods to output a value directly.
See the Ruby Security Guide for more details.
Query Parameters and Cookies
ERB example:
<%= params[:query].html_safe %>
Brakeman looks for several situations that can allow XSS. The simplest is like the example above: a value from the params
or cookies
is being directly output to a view. In such cases, it will issue a warning like:
Unescaped parameter value near line 3: params[:query]
By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.
For example:
<%= raw some_method(cookie[:name]) %>
This raises a warning like:
Unescaped cookie value near line 5: some_method(cookies[:oreo])
However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.
Some methods are known to Brakeman to either be dangerous (link_to
is one) or safe (escape_once
). Users can specify safe methods using the --safe-methods
option. Alternatively, Brakeman can be set to only warn when values are used directly with the --report-direct
option.
Model Attributes
Because (many) models come from database values, Brakeman mistrusts them by default.
For example, if @user
is an instance of a model set in an action like
def set_user
@user = User.first
end
and there is a view with
<%= @user.name.html_safe %>
Brakeman will raise a warning like
Unescaped model attribute near line 3: User.first.name
If you trust all your data (although you probably shouldn't), this can be disabled with --ignore-model-output
.
Mass assignment is not restricted using attr_accessible Open
class CollectionMatrix < ApplicationRecord
- Read upRead up
- Exclude checks
This warning comes up if a model does not limit what attributes can be set through mass assignment.
In particular, this check looks for attr_accessible
inside model definitions. If it is not found, this warning will be issued.
Brakeman also warns on use of attr_protected
- especially since it was found to be vulnerable to bypass. Warnings for mass assignment on models using attr_protected
will be reported, but at a lower confidence level.
Note that disabling mass assignment globally will suppress these warnings.
Unescaped parameter value Open
= paginate matrices
- Read upRead up
- Exclude checks
Cross-site scripting (or XSS) is #3 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS\)) web security risks and it pops up nearly everywhere.
XSS occurs when a user-controlled value is displayed on a web page without properly escaping it, allowing someone to inject Javascript or HTML into the page which will be interpreted and executed by the browser..
In Rails 2.x, values need to be explicitly escaped (e.g., by using the h
method). Since Rails 3.x, auto-escaping in views is enabled by default. However, one can still use the raw
or html_safe
methods to output a value directly.
See the Ruby Security Guide for more details.
Query Parameters and Cookies
ERB example:
<%= params[:query].html_safe %>
Brakeman looks for several situations that can allow XSS. The simplest is like the example above: a value from the params
or cookies
is being directly output to a view. In such cases, it will issue a warning like:
Unescaped parameter value near line 3: params[:query]
By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.
For example:
<%= raw some_method(cookie[:name]) %>
This raises a warning like:
Unescaped cookie value near line 5: some_method(cookies[:oreo])
However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.
Some methods are known to Brakeman to either be dangerous (link_to
is one) or safe (escape_once
). Users can specify safe methods using the --safe-methods
option. Alternatively, Brakeman can be set to only warn when values are used directly with the --report-direct
option.
Model Attributes
Because (many) models come from database values, Brakeman mistrusts them by default.
For example, if @user
is an instance of a model set in an action like
def set_user
@user = User.first
end
and there is a view with
<%= @user.name.html_safe %>
Brakeman will raise a warning like
Unescaped model attribute near line 3: User.first.name
If you trust all your data (although you probably shouldn't), this can be disabled with --ignore-model-output
.
Assignment Branch Condition size for show is too high. [<7, 20, 2> 21.28/17] Open
def show
# List of permitted fields for params
permitted_params = params.permit([{ filterrific: %i[reset_filterrific sorted_by] },
:format, :group, :page, :per_page, :utf8, :_])
- Read upRead up
- Exclude checks
Checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric and https://en.wikipedia.org/wiki/ABC_Software_Metric.
Interpreting ABC size:
- <= 17 satisfactory
- 18..30 unsatisfactory
- > 30 dangerous
You can have repeated "attributes" calls count as a single "branch".
For this purpose, attributes are any method with no argument; no attempt
is meant to distinguish actual attr_reader
from other methods.
Example: CountRepeatedAttributes: false (default is true)
# `model` and `current_user`, refenced 3 times each,
# are each counted as only 1 branch each if
# `CountRepeatedAttributes` is set to 'false'
def search
@posts = model.active.visible_by(current_user)
.search(params[:q])
@posts = model.some_process(@posts, current_user)
@posts = model.another_process(@posts, current_user)
render 'pages/search/page'
end
This cop also takes into account IgnoredMethods
(defaults to []
)
Missing top-level documentation comment for class CollectionMatricesController
. Open
class CollectionMatricesController < ApplicationController
- Read upRead up
- Exclude checks
Checks for missing top-level documentation of classes and modules. Classes with no body are exempt from the check and so are namespace modules - modules that have nothing in their bodies except classes, other modules, constant definitions or constant visibility declarations.
The documentation requirement is annulled if the class or module has a "#:nodoc:" comment next to it. Likewise, "#:nodoc: all" does the same for all its children.
Example:
# bad
class Person
# ...
end
module Math
end
# good
# Description/Explanation of Person class
class Person
# ...
end
# allowed
# Class without body
class Person
end
# Namespace - A namespace can be a class or a module
# Containing a class
module Namespace
# Description/Explanation of Person class
class Person
# ...
end
end
# Containing constant visibility declaration
module Namespace
class Private
end
private_constant :Private
end
# Containing constant definition
module Namespace
Public = Class.new
end
# Macro calls
module Namespace
extend Foo
end
Example: AllowedConstants: ['ClassMethods']
# good
module A
module ClassMethods
# ...
end
end
Missing top-level documentation comment for module ApplicationHelper
. Open
module ApplicationHelper
- Read upRead up
- Exclude checks
Checks for missing top-level documentation of classes and modules. Classes with no body are exempt from the check and so are namespace modules - modules that have nothing in their bodies except classes, other modules, constant definitions or constant visibility declarations.
The documentation requirement is annulled if the class or module has a "#:nodoc:" comment next to it. Likewise, "#:nodoc: all" does the same for all its children.
Example:
# bad
class Person
# ...
end
module Math
end
# good
# Description/Explanation of Person class
class Person
# ...
end
# allowed
# Class without body
class Person
end
# Namespace - A namespace can be a class or a module
# Containing a class
module Namespace
# Description/Explanation of Person class
class Person
# ...
end
end
# Containing constant visibility declaration
module Namespace
class Private
end
private_constant :Private
end
# Containing constant definition
module Namespace
Public = Class.new
end
# Macro calls
module Namespace
extend Foo
end
Example: AllowedConstants: ['ClassMethods']
# good
module A
module ClassMethods
# ...
end
end
Assignment Branch Condition size for submit is too high. [<6, 20, 4> 21.26/17] Open
def submit
# Verify the reCaptcha
if verify_recaptcha
permitted_params = params[:submitted_matrix].permit(:submitter_name,
:submitter_email, :display_email, :name, :kind, :notes,
- Read upRead up
- Exclude checks
Checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric and https://en.wikipedia.org/wiki/ABC_Software_Metric.
Interpreting ABC size:
- <= 17 satisfactory
- 18..30 unsatisfactory
- > 30 dangerous
You can have repeated "attributes" calls count as a single "branch".
For this purpose, attributes are any method with no argument; no attempt
is meant to distinguish actual attr_reader
from other methods.
Example: CountRepeatedAttributes: false (default is true)
# `model` and `current_user`, refenced 3 times each,
# are each counted as only 1 branch each if
# `CountRepeatedAttributes` is set to 'false'
def search
@posts = model.active.visible_by(current_user)
.search(params[:q])
@posts = model.some_process(@posts, current_user)
@posts = model.another_process(@posts, current_user)
render 'pages/search/page'
end
This cop also takes into account IgnoredMethods
(defaults to []
)
Missing top-level documentation comment for module CollectionMatricesHelper
. Open
module CollectionMatricesHelper
- Read upRead up
- Exclude checks
Checks for missing top-level documentation of classes and modules. Classes with no body are exempt from the check and so are namespace modules - modules that have nothing in their bodies except classes, other modules, constant definitions or constant visibility declarations.
The documentation requirement is annulled if the class or module has a "#:nodoc:" comment next to it. Likewise, "#:nodoc: all" does the same for all its children.
Example:
# bad
class Person
# ...
end
module Math
end
# good
# Description/Explanation of Person class
class Person
# ...
end
# allowed
# Class without body
class Person
end
# Namespace - A namespace can be a class or a module
# Containing a class
module Namespace
# Description/Explanation of Person class
class Person
# ...
end
end
# Containing constant visibility declaration
module Namespace
class Private
end
private_constant :Private
end
# Containing constant definition
module Namespace
Public = Class.new
end
# Macro calls
module Namespace
extend Foo
end
Example: AllowedConstants: ['ClassMethods']
# good
module A
module ClassMethods
# ...
end
end
Missing top-level documentation comment for class ApplicationRecord
. Open
class ApplicationRecord < ActiveRecord::Base
- Read upRead up
- Exclude checks
Checks for missing top-level documentation of classes and modules. Classes with no body are exempt from the check and so are namespace modules - modules that have nothing in their bodies except classes, other modules, constant definitions or constant visibility declarations.
The documentation requirement is annulled if the class or module has a "#:nodoc:" comment next to it. Likewise, "#:nodoc: all" does the same for all its children.
Example:
# bad
class Person
# ...
end
module Math
end
# good
# Description/Explanation of Person class
class Person
# ...
end
# allowed
# Class without body
class Person
end
# Namespace - A namespace can be a class or a module
# Containing a class
module Namespace
# Description/Explanation of Person class
class Person
# ...
end
end
# Containing constant visibility declaration
module Namespace
class Private
end
private_constant :Private
end
# Containing constant definition
module Namespace
Public = Class.new
end
# Macro calls
module Namespace
extend Foo
end
Example: AllowedConstants: ['ClassMethods']
# good
module A
module ClassMethods
# ...
end
end
Use a guard clause (return if @matrix
) instead of wrapping the code inside a conditional expression. Open
unless @matrix
- Read upRead up
- Exclude checks
Use a guard clause instead of wrapping the code inside a conditional expression
Example:
# bad
def test
if something
work
end
end
# good
def test
return unless something
work
end
# also good
def test
work if something
end
# bad
if something
raise 'exception'
else
ok
end
# good
raise 'exception' if something
ok
# bad
if something
foo || raise('exception')
else
ok
end
# good
foo || raise('exception') if something
ok
Example: AllowConsecutiveConditionals: false (default)
# bad
if foo?
work
end
if bar? # <- reports an offense
work
end
Example: AllowConsecutiveConditionals: true
# good
if foo?
work
end
if bar?
work
end
# bad
if foo?
work
end
do_something
if bar? # <- reports an offense
work
end
Missing top-level documentation comment for class PagesController
. Open
class PagesController < ApplicationController
- Read upRead up
- Exclude checks
Checks for missing top-level documentation of classes and modules. Classes with no body are exempt from the check and so are namespace modules - modules that have nothing in their bodies except classes, other modules, constant definitions or constant visibility declarations.
The documentation requirement is annulled if the class or module has a "#:nodoc:" comment next to it. Likewise, "#:nodoc: all" does the same for all its children.
Example:
# bad
class Person
# ...
end
module Math
end
# good
# Description/Explanation of Person class
class Person
# ...
end
# allowed
# Class without body
class Person
end
# Namespace - A namespace can be a class or a module
# Containing a class
module Namespace
# Description/Explanation of Person class
class Person
# ...
end
end
# Containing constant visibility declaration
module Namespace
class Private
end
private_constant :Private
end
# Containing constant definition
module Namespace
Public = Class.new
end
# Macro calls
module Namespace
extend Foo
end
Example: AllowedConstants: ['ClassMethods']
# good
module A
module ClassMethods
# ...
end
end
Missing top-level documentation comment for module EmailHelpers
. Open
module EmailHelpers
- Read upRead up
- Exclude checks
Checks for missing top-level documentation of classes and modules. Classes with no body are exempt from the check and so are namespace modules - modules that have nothing in their bodies except classes, other modules, constant definitions or constant visibility declarations.
The documentation requirement is annulled if the class or module has a "#:nodoc:" comment next to it. Likewise, "#:nodoc: all" does the same for all its children.
Example:
# bad
class Person
# ...
end
module Math
end
# good
# Description/Explanation of Person class
class Person
# ...
end
# allowed
# Class without body
class Person
end
# Namespace - A namespace can be a class or a module
# Containing a class
module Namespace
# Description/Explanation of Person class
class Person
# ...
end
end
# Containing constant visibility declaration
module Namespace
class Private
end
private_constant :Private
end
# Containing constant definition
module Namespace
Public = Class.new
end
# Macro calls
module Namespace
extend Foo
end
Example: AllowedConstants: ['ClassMethods']
# good
module A
module ClassMethods
# ...
end
end
Missing top-level documentation comment for module GroupsHelper
. Open
module GroupsHelper
- Read upRead up
- Exclude checks
Checks for missing top-level documentation of classes and modules. Classes with no body are exempt from the check and so are namespace modules - modules that have nothing in their bodies except classes, other modules, constant definitions or constant visibility declarations.
The documentation requirement is annulled if the class or module has a "#:nodoc:" comment next to it. Likewise, "#:nodoc: all" does the same for all its children.
Example:
# bad
class Person
# ...
end
module Math
end
# good
# Description/Explanation of Person class
class Person
# ...
end
# allowed
# Class without body
class Person
end
# Namespace - A namespace can be a class or a module
# Containing a class
module Namespace
# Description/Explanation of Person class
class Person
# ...
end
end
# Containing constant visibility declaration
module Namespace
class Private
end
private_constant :Private
end
# Containing constant definition
module Namespace
Public = Class.new
end
# Macro calls
module Namespace
extend Foo
end
Example: AllowedConstants: ['ClassMethods']
# good
module A
module ClassMethods
# ...
end
end
Do not prefix reader method names with get_
. Open
def self.get_base_url
- Read upRead up
- Exclude checks
Makes sure that accessor methods are named properly. Applies to both instance and class methods.
NOTE: Offenses are only registered for methods with the expected
arity. Getters (get_attribute
) must have no arguments to be
registered, and setters (set_attribute(value)
) must have exactly
one.
Example:
# bad
def set_attribute(value)
end
# good
def attribute=(value)
end
# bad
def get_attribute
end
# good
def attribute
end
# accepted, incorrect arity for getter
def get_value(attr)
end
# accepted, incorrect arity for setter
def set_value
end
Assignment Branch Condition size for index is too high. [<7, 20, 3> 21.4/17] Open
def index
# List of permitted fields for params
permitted_params = params.permit(PERMITTED_PARAMTERS)
# Initialize filterrific filtering system
- Read upRead up
- Exclude checks
Checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric and https://en.wikipedia.org/wiki/ABC_Software_Metric.
Interpreting ABC size:
- <= 17 satisfactory
- 18..30 unsatisfactory
- > 30 dangerous
You can have repeated "attributes" calls count as a single "branch".
For this purpose, attributes are any method with no argument; no attempt
is meant to distinguish actual attr_reader
from other methods.
Example: CountRepeatedAttributes: false (default is true)
# `model` and `current_user`, refenced 3 times each,
# are each counted as only 1 branch each if
# `CountRepeatedAttributes` is set to 'false'
def search
@posts = model.active.visible_by(current_user)
.search(params[:q])
@posts = model.some_process(@posts, current_user)
@posts = model.another_process(@posts, current_user)
render 'pages/search/page'
end
This cop also takes into account IgnoredMethods
(defaults to []
)
Missing top-level documentation comment for class GroupsController
. Open
class GroupsController < ApplicationController
- Read upRead up
- Exclude checks
Checks for missing top-level documentation of classes and modules. Classes with no body are exempt from the check and so are namespace modules - modules that have nothing in their bodies except classes, other modules, constant definitions or constant visibility declarations.
The documentation requirement is annulled if the class or module has a "#:nodoc:" comment next to it. Likewise, "#:nodoc: all" does the same for all its children.
Example:
# bad
class Person
# ...
end
module Math
end
# good
# Description/Explanation of Person class
class Person
# ...
end
# allowed
# Class without body
class Person
end
# Namespace - A namespace can be a class or a module
# Containing a class
module Namespace
# Description/Explanation of Person class
class Person
# ...
end
end
# Containing constant visibility declaration
module Namespace
class Private
end
private_constant :Private
end
# Containing constant definition
module Namespace
Public = Class.new
end
# Macro calls
module Namespace
extend Foo
end
Example: AllowedConstants: ['ClassMethods']
# good
module A
module ClassMethods
# ...
end
end
Rename is_checked
to checked?
. Open
def is_checked(filterrific, filter_checkboxes)
- Read upRead up
- Exclude checks
Makes sure that predicates are named properly.
Example:
# bad
def is_even(value)
end
def is_even?(value)
end
# good
def even?(value)
end
# bad
def has_value
end
def has_value?
end
# good
def value?
end
Missing top-level documentation comment for class AdminNotifierMailer
. Open
class AdminNotifierMailer < ApplicationMailer
- Read upRead up
- Exclude checks
Checks for missing top-level documentation of classes and modules. Classes with no body are exempt from the check and so are namespace modules - modules that have nothing in their bodies except classes, other modules, constant definitions or constant visibility declarations.
The documentation requirement is annulled if the class or module has a "#:nodoc:" comment next to it. Likewise, "#:nodoc: all" does the same for all its children.
Example:
# bad
class Person
# ...
end
module Math
end
# good
# Description/Explanation of Person class
class Person
# ...
end
# allowed
# Class without body
class Person
end
# Namespace - A namespace can be a class or a module
# Containing a class
module Namespace
# Description/Explanation of Person class
class Person
# ...
end
end
# Containing constant visibility declaration
module Namespace
class Private
end
private_constant :Private
end
# Containing constant definition
module Namespace
Public = Class.new
end
# Macro calls
module Namespace
extend Foo
end
Example: AllowedConstants: ['ClassMethods']
# good
module A
module ClassMethods
# ...
end
end